Merge branch 'main' into patch-1

2025-06-18 11:53:37 +00:00 · 2022-03-15 12:53:10 -07:00
parent 1b00688a6f 4e5a31ff17
commit 357666cfba
144 changed files with 1817 additions and 352 deletions
--- a/windows/client-management/mdm/config-lock.md
+++ b/windows/client-management/mdm/config-lock.md
@ -8,7 +8,7 @@ ms.topic: article
 ms.prod: w11
 ms.technology: windows
 author: lovina-saldanha
-ms.date: 10/07/2021
+ms.date: 03/14/2022
 ---

 # Secured-Core PC Configuration Lock 
@ -48,31 +48,31 @@ The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Int
    - **Profile type**: Templates
    - **Template name**: Custom

-    :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="create profile":::
+    :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates":::

 1. Name your profile.
 1. When you reach the Configuration Settings step, select “Add” and add the following information:
    - **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
    - **Data type**: Integer
    - **Value**: 1 </br>
-    To turn off Config Lock. Change value to 0.
+    To turn off Config Lock, change the value to 0.

-    :::image type="content" source="images/configlock-mem-editrow.png" alt-text="edit row":::
+    :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of Config Lock, a Description of Turn on Config Lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1":::

 1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”.
 1. You'll not need to set any applicability rules for test purposes.
 1. Review the Configuration and select “Create” if everything is correct.
 1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled.

-    :::image type="content" source="images/configlock-mem-dev.png" alt-text="status":::
+    :::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the Config Lock device configuration profile, showing one device has succeeded in having this profile applied":::

-    :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="device status":::
+    :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the Config Lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending":::

-## Disabling
+## Configuring Secured-Core PC features

-Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured.  IT Admins retain the ability to change (enabled/disable) SCPC features via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.
+Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured.  IT Admins retain the ability to change (enable/disable) SCPC features (for example Firmware protection) via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.

-:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="firmware protect":::
+:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off":::
 
 ## FAQ

@ -89,45 +89,45 @@ Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally m
 |[ApplicationControl](applicationcontrol-csp.md) 


-|**MDM policies**     |
-|-----|
-|[DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md)      |
-|[DataProtection/LegacySelectiveWipeID](policy-csp-dataprotection.md)      |
-|[DeviceGuard/ConfigureSystemGuardLaunch](policy-csp-deviceguard.md)      |
-|[DeviceGuard/EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md)      |
-|[DeviceGuard/LsaCfgFlags](policy-csp-deviceguard.md)      |
-|[DeviceGuard/RequirePlatformSecurityFeatures](policy-csp-deviceguard.md)      |
-|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md)      |
-|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md)      |
-|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) |
-|[DeviceInstallation/PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) |
-|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) |
-|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) |
-|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) |
-|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) |
-|[DmaGuard/DeviceEnumerationPolicy](policy-csp-dmaguard.md) |
-|[WindowsDefenderSecurityCenter/CompanyName](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md)|
-|[WindowsDefenderSecurityCenter/DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/Email](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/Phone](policy-csp-windowsdefendersecuritycenter.md) |
-|[WindowsDefenderSecurityCenter/URL](policy-csp-windowsdefendersecuritycenter.md) |
-|[SmartScreen/EnableAppInstallControl](policy-csp-smartscreen.md)|
-|[SmartScreen/EnableSmartScreenInShell](policy-csp-smartscreen.md) |
-|[SmartScreen/PreventOverrideForFilesInShell](policy-csp-smartscreen.md) |
+|**MDM policies**     | **Supported by Group Policy** |
+|-----|-----|
+|[DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md)      | No |
+|[DataProtection/LegacySelectiveWipeID](policy-csp-dataprotection.md)      | No |
+|[DeviceGuard/ConfigureSystemGuardLaunch](policy-csp-deviceguard.md)      | Yes |
+|[DeviceGuard/EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md)      | Yes |
+|[DeviceGuard/LsaCfgFlags](policy-csp-deviceguard.md)      | Yes |
+|[DeviceGuard/RequirePlatformSecurityFeatures](policy-csp-deviceguard.md)      | Yes |
+|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md)      | Yes |
+|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md)      | Yes |
+|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) | Yes |
+|[DeviceInstallation/PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) | Yes |
+|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) | Yes |
+|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) | Yes |
+|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) | Yes |
+|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) | Yes |
+|[DmaGuard/DeviceEnumerationPolicy](policy-csp-dmaguard.md) | Yes |
+|[WindowsDefenderSecurityCenter/CompanyName](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md)| Yes |
+|[WindowsDefenderSecurityCenter/DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/Email](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/Phone](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[WindowsDefenderSecurityCenter/URL](policy-csp-windowsdefendersecuritycenter.md) | Yes |
+|[SmartScreen/EnableAppInstallControl](policy-csp-smartscreen.md)| Yes |
+|[SmartScreen/EnableSmartScreenInShell](policy-csp-smartscreen.md) | Yes |
+|[SmartScreen/PreventOverrideForFilesInShell](policy-csp-smartscreen.md) | Yes |
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@ -90,6 +90,8 @@ The data type is string.
 Expected value:
 Set and Execute are functionality equivalent, and each accepts a `Collection` XML snippet (as a string) describing what data to gather and where to upload it. The results are zipped and uploaded to the specified SasUrl. The zipped filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip".

+With Windows 10 KB5011543, Windows 11 KB5011563 we have added support for an additional element which will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML. 
+
 The following is an example of a `Collection` XML.

 ``` xml
@ -104,6 +106,7 @@ The following is an example of a `Collection` XML.
   <Command>%windir%\system32\mdmdiagnosticstool.exe -out %ProgramData%\temp\</Command>
   <FoldersFiles>%ProgramData%\temp\*.*</FoldersFiles>
   <Events>Application</Events>
+   <OutputFileFormat>Flattened</OutputFileFormat>
 </Collection>

 ```
@ -176,6 +179,11 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
    - .evtx
    - .etl

+- **OutputFileFormat**
+  - Flattens folder structure, instead of having individual folders for each directive in the XML.
+  - The value “Flattened” is the only supported value for the OutputFileFormat. If the OutputFileFormat is absent in the XML, or if explicitly set to something other than Flattened, it will leave the file structure in old structure.  
+
+
 <a href="" id="diagnosticarchive-archiveresults"></a>**DiagnosticArchive/ArchiveResults**
 Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.

@ -367,6 +375,7 @@ Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to rep

 Supported operations are Add, Delete, and Get.

+
 Add **Channel**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@ -66,7 +66,7 @@ Installation date of the application. Value type is string. Supported operation
 <a href="" id="msi-productid-downloadinstall"></a>**MSI/*ProductID*/DownloadInstall**
 Executes the download and installation of the application. Value type is string. Supported operations are Execute and Get.

-In Windows 10, version 1703 service release, a new tag \<DownloadFromAad\> was added to the \<Enforcement\> section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.
+In Windows 10, version 1703 service release, a new tag \<DownloadFromAad\> was added to the \<Enforcement\> section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.\<TimeOut\> 0 will set the timeout to infinite. 

 Here is an example:

@ -112,7 +112,7 @@ Value type is string. Supported operation is Get.
 Added in the March service release of Windows 10, version 1607.

 <a href="" id="msi-upgradecode"></a>**MSI/UpgradeCode/_Guid_**
-Added in the March service release of Windows 10, version 1607. A gateway (or device management server) uses this method to detect matching upgrade MSI product when a Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed.
+Added in the March service release of Windows 10, version 1607. A gateway (or device management server) uses this method to detect matching upgrade MSI product when an Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed.

 Value type is string. Supported operation is Get.

@ -261,7 +261,7 @@ The following table describes the fields in the previous sample:

 |Name|Description|
 |--- |--- |
-|Add|This is required to precede the Exec command.<li>CmdID - Input value used to reference the request. Responses includes this value, which can be use to match the request and response.<li>LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.|
+|Add|This is required to precede the Exec command.<li>CmdID - Input value used to reference the request. Responses include this value, which can be used to match the request and response.<li>LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.|
 |Exec|The Exec node includes the parameters and properties requires to locate, download, validate and perform product installation.<li>CmdID - Input value used to reference the request. Responses will include this value which can be used to match request and response.<li>LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.<li>Data - The Data node contains an embedded XML, of type “MsiInstallJob”<li>MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).|
 </table>

@ -370,7 +370,7 @@ Here is an example of a common response to a request
 ## How to determine which installation context to use for an MSI package


-The following tables shows how app targeting and MSI package type (per-user, per machine, or dual mode) are installed in the client.
+The following tables show how app targeting and MSI package type (per-user, per machine, or dual mode) are installed in the client.

 For Intune standalone environment, the MSI package will determine the MSI execution context.

--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@ -36,6 +36,9 @@ manager: dansimp
  <dd>
    <a href="#search-allowsearchtouselocation">Search/AllowSearchToUseLocation</a>
  </dd>
+  <dd>
+    <a href="#search-allowsearchhighlights">Search/AllowSearchHighlights</a>
+  </dd>
  <dd>
    <a href="#search-allowstoringimagesfromvisionsearch">Search/AllowStoringImagesFromVisionSearch</a>
  </dd>
@ -323,6 +326,63 @@ The following list shows the supported values:

 <hr/>

+<!--Policy-->
+<a href="" id="search-allowsearchhighlights"></a>**Search/AllowSearchHighlights**  
+
+<!--SupportedSKUs-->
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy controls whether search highlights are shown in the search box or in search home.
+
+- If you enable this policy setting, then this setting turns on search highlights in the search box or in the search home.
+- If you disable this policy setting, then this setting turns off search highlights in the search box or in the search home. 
+
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP Friendly name: *Allow search and highlights*
+-   GP name: *AllowSearchHighlights*
+-   GP path: *Windows Components/Search*
+-   GP ADMX file name: *Search.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+The following list shows the supported values in Windows 10:
+- Not Configured/ Enabled (default) – Enabling or not configuring this setting turns on search    highlights in the taskbar search box and in search home.
+
+- Disabled – Disabling this setting turns off search highlights in the taskbar search box and in search home.
+
+The following list shows the supported values in Windows 11:
+- Not Configured/ Enabled (default) – Enabling or not configuring this setting turns on search highlights in the start menu search box and in search home.
+
+- Disabled – Disabling this setting turns off search highlights in the start menu search box and in search home.
+
+<!--/SupportedValues-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="search-allowstoringimagesfromvisionsearch"></a>**Search/AllowStoringImagesFromVisionSearch**